July 2004 - Posts
Domains are not considered security boundaries in Active Directory. They provide some delegation of administrative duties, but unauthorized administrators in one domain have methods of gaining administrative rights at the root of the forest, and thus gaining rights to the whole forest. The only way to ensure administrative boundaries in Active Directory is to create a separate forest.
While it might be possible to design your SMS site such that it spans the forests, this kind of site design is not supported by SMS 2003. The SMS site server must have administrative access to all site systems. To grant an SMS account from one forest administrative access to a site system in another forest would violate this security boundary. Therefore, you must have at least one SMS site in each forest and design the site so that it does not span forests.
If you require multiple SMS sites in multiple Active Directory forests, each forest must have at least one primary site. A secondary child site cannot attach to a parent in a different forest.
From Scenarios and Procedures for Microsoft Systems Management Server 2003: Security
http://www.microsoft.com/downloads/details.aspx?familyid=3d81b520-a203-4376-a72d-fd34a6c4a44c&displaylang=en
20040908 update:
a confirmation from a PM:
SMS 2003 does support a single primary site (not secondary) with Advanced Clients in other forests that the site systems. No remote site system or Legacy Client support, only Advanced Clients.
[PDF]
Version=2.0
[Package Definition]
Publisher=Microsoft
Name=Internet Explorer
Version=6.0
Language=English
MIFNAME=IE
MIFPUBLISHER=MS
MIFVERSION=6
MIFFILENAME=iesmswrap.mif
Programs=IE6
[IE6]
Name=Internet Explorer 6.0
CommandLine=ie6setup.exe /Q /R:N
AdminRightsRequired=True
UserInputRequired=True
DriveLetterConnection=False
AfterRunning=SMSRestart
CanRunWhen=UserLoggedOn
SupportedClients=Win NT (I386), Win 9x
Win NT (I386) MinVersion1=4.00.0000.0
Win NT (I386) MaxVersion1=4.00.9999.9999
Win NT (I386) MinVersion2=5.00.0000.0
Win NT (I386) MaxVersion2=5.01.9999.9999
Win 9x MinVersion1=0.00.0000.0
Win 9x MaxVersion1=99.99.9999.9999
Reference:
http://www.microsoft.com/resources/documentation/ie/6/all/reskit/en-us/part7/z09ie6rk.mspx
http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/default.mspx
http://support.microsoft.com/?id=197147
http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=e5a33392-77a2-4d9c-a70e-8eb1369c85ed
[PDF]
Version=2.0
[Package Definition]
Publisher=Microsoft
Name=Service Pack 4 for Windows 2000
Version=5.0
Language=????
MIFNAME=Windows 2000
MIFPUBLISHER=Microsoft
MIFVERSION=Service Pack 4
MIFFILENAME=ntsvcpak.mif
Programs=ManualUpdate,UnattendUpdate
[ManualUPdate]
Name=????
CommandLine=update\update.exe -z
AdminRightsRequired=True
UserInputRequired=True
DriveLetterConnection=False
AfterRunning=SMSRestart
CanRunWhen=UserLoggedOn
SupportedClients=Win NT (I386)
Win NT (I386) MinVersion1=5.00.0000.0
Win NT (I386) MaxVersion1=5.00.9999.9999
[UnattendUpdate]
Name=??????
CommandLine=update\update.exe -u -z
AdminRightsRequired=True
UserInputRequired=False
DriveLetterConnection=False
AfterRunning=SMSRestart
CanRunWhen=AnyUserStatus
SupportedClients=Win NT (I386)
Win NT (I386) MinVersion1=5.00.0000.0
Win NT (I386) MaxVersion1=5.00.9999.9999
In a recent SMS deploy project for the local government, the customer want a solution to keep all windows os(mainly win2k and xp) up-to-date: i concluded it should be some scenarios:
Scenario 1: Already installed computer
step 1: the computer will detect the sevice pack level automatically
by SMS's OS inventory results (this method still need administrator's involvement)
step 2: the computer will install service pack based on the results of step1
assign service pack to the SMS's collection
step 3: deploy hotfix by patch mgr system (ie. SMS) in the day-to-day operation
Scenario 2: new install computer
step1: deploy the os by integrated installation
by using RIS or integrated cd
step 2: deploy hotfix by patch mgr system (ie. SMS) in the day-to-day operation
Generally, i think this procedure can apply the configuration management in MOF...
| • |
Choose an installation method. |
| • |
Identify the deployment tools and files. |
| • |
Determine upgrade options. |
| • |
Check space requirements. (better 1G free space for C:\ if %windir% is on c:\) |
| • |
Test the deployment in your environment. |
Choosing an Installation Method
The service pack supports the following installation methods:
• The update installation
• The integrated installation.
• The combination installation
Installing Service Pack 4 for Windows 2000 by using SMS
Microsoft Windows XP Service Pack 1 Installation and Deployment Guide
Installing Windows XP Service Pack 1 by Using Systems Management Server
can the xppro.sms deploy xpsp1? from the definition file, i only find the following command line:
“CommandLine=i386\winnt32.exe /UNATTEND30 /BATCH /NOREBOOT”
I will verify it.
OK, its for deploy Windows XP, not Service pack!
For example, you might want to upgrade every client at your site to a new service pack of Windows 2000, but minimize the disruption to users. In this case, within the properties of the service pack program, select the
Only when no user is logged on option. Then, create an assignment to run the service pack
program at the most convenient time for your organization. When the assignment time is reached,
all systems with no user logged on will run the service pack program. All client computers with a
logged on user will wait to run the program until the current user logs off. You can also choose to
allow users to run the program manually before the program assignment time. To do so, select
Allow users to run the program independently of assignments in the advertisement.
I setup my weblog yesterday, it seems that it based on pure .net tech.Cool!
More Posts